tag:blogger.com,1999:blog-58372666146939796432024-02-18T20:41:05.169-05:00The eHarning BlogPersonal blog with product reviews, programming, cryptography, and technology.Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-5837266614693979643.post-12845326897582726942013-09-11T17:24:00.000-04:002013-09-11T17:47:48.094-04:00Review of "Programing Android" by Zigurd Mednieks<a href="https://www.goodreads.com/book/show/16607857-programming-android" style="float: left; padding-right: 20px;"><img alt="Programming Android" border="0" src="https://d202m5krfqbpi5.cloudfront.net/books/1356163323m/16607857.jpg" /></a><a href="https://www.goodreads.com/book/show/16607857-programming-android">Programming Android</a> by <a href="https://www.goodreads.com/author/show/3517874.Zigurd_Mednieks">Zigurd Mednieks</a><br />
My rating: <a href="https://www.goodreads.com/review/show/717323331">4 of 5 stars</a><br />
<br />
Want to get into Android programming? What better than a book called Programming Android from O'Reilly! :) This is a GREAT resource! The book is well-organized into sections, giving you information on how to setup your environment all the way up to handling more recent topics like NFC.<br />
<br />
I find that the style of the book works well as a reference to look up roughly how you would do something, like setup NFC P2P or setup some OpenGL graphics, as well as a running tutorial to read through to learn how things work. The book is full of code examples (available online too) and valuable information on how to properly implement your applications (see Chapter 10 - A Framework for a Well-Behaved Application).<br />
<br />
Reading this book enlightened me to a great way to implement one of my projects without worrying about certain runtime issues. Originally I had considered putting logic in a run loop in the application and shutdown when it left... but that wouldn't work out right when I needed information live, but cached information would be good. The book enlightened me to "Content Providers" which using a service could provide the necessary cache I needed. Later on I discovered that the service by itself would solve my problem, but without the reading, I wouldn't have stumbled upon the path as quickly!<br />
<br />
The author, Zigurd Mednieks, has done a great job in writing a strong book on Android to compliment the vast amount of information available through Google's documentation. I suggest you get this book, especially the eBook form - you can easily search through and find references / copy code-bits.
<br />
<br />
The eBook format of this book was provided free through O'Reilly's Blogger Review program, you can purchase the book from the O'Reilly book store at: <a href="http://shop.oreilly.com/product/0636920023005.do">http://shop.oreilly.com/product/0636920023005.do</a>
<br />
You can support this blog by purchasing the book through Amazon at:
<a href="http://www.amazon.com/gp/product/1449389694/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1449389694&linkCode=as2&tag=eharning-20">Programming Android</a><img alt="" border="0" height="1" src="http://ir-na.amazon-adsystem.com/e/ir?t=eharning-20&l=as2&o=1&a=1449389694" style="border: none !important; margin: 0px !important;" width="1" />
<br />
<a href="https://www.goodreads.com/review/list/4693320-thomas-harning">View all my reviews</a>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-69774559683578780002012-10-08T23:24:00.000-04:002012-10-08T23:24:00.372-04:00Review of "The Manga Guide to Relativity" by Masafumi Yamamoto, Keita Takatsu, and Hideo Nitta<a href="http://www.goodreads.com/book/show/13451107-the-manga-guide-to-relativity" style="float: left; padding-right: 20px"><img alt="The Manga Guide to Relativity" border="0" src="http://akamaicovers.oreilly.com/images/9781593272722/s.gif" /></a><a href="http://www.goodreads.com/book/show/13451107-the-manga-guide-to-relativity">The Manga Guide to Relativity</a>
<p>
If you have a curiosity about physics, this is a fun way to sate it. "The Manga Guide to Relativity" by Masafumi Yamamoto, Keita Takatsu, and Hideo Nitta is a beautiful blend of manga, humor and science.
</p>
<p>
I had this book for quite some time and decided to try to get through it... little did I know that I would finish it in only a few hours of reading! While I understood some of the concepts at a very high level, some of the paradoxes and details typically got me. This guide's illustrations make the complex issues easier to grasp, while the chapter reviews help explore the topics in a little more depth.
</p>
<p>
Even though the manga was constructed with the intent of explaining the complex concepts of Special and General Relativity, it did not deviate from the tried-and-true manga recipe: bizarre scenarios, extreme characters, and strange character appearances.</p><p>The ebook format was well-implemented and worked beautifully on my Touchpad. While some PDFs choke due to overly complex layouts, this manga was smooth to navigate and rendered beautifully. Anybody used to reading mangas using "Perfect Viewer" on Android should install the PDF plugin to read this, it works great in two-page mode.</p><p>This ebook is a great read and its quality entices me to check out the other books in the "Manga guide to ..." series. If you're a high-school student just getting into physics or a manga fan looking for some intellectual fun, this book is a perfect addition to your collection.
</p>
<p>
The eBook format of this book was provided free through O'Reilly's Blogger Review program, you can purchase the book from the O'Reilly book store at: <a href="http://shop.oreilly.com/product/9781593272722.do">http://shop.oreilly.com/product/9781593272722.do</a>
</p>
<p>
You can support this blog by purchasing the book through Amazon at:<a href="http://www.amazon.com/gp/product/1593272723/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1593272723&linkCode=as2&tag=eharning-20">The Manga Guide to Relativity</a><img src="http://www.assoc-amazon.com/e/ir?t=eharning-20&l=as2&o=1&a=1593272723" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />
</p>
<a href="http://www.goodreads.com/review/list/4693320-thomas-harning?shelf=reviewed">View all my GoodReads reviews</a>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-38082961313343827792012-10-05T22:37:00.000-04:002012-10-05T22:37:35.472-04:00LuaJSON 1.3.1 Released<p><b>LuaJSON 1.3.1</b> released! If you use luarocks, just use
<span style="font-family: Courier New, Courier, monospace;">luarocks install luajson</span> since it should soon be in the repository.
<p>This release's changes include:
<ul>
<li>Documented and tested compatibility with Lua 5.1, 5.2, and LuaJIT-2.0-beta10.</li>
<li>Documented and tested compatibility with the 'classic' strict module on Lua 5.1 and LuaJIT-2.0-beta10 as provided by the LuaJIT-2.0-beta10 package.</li>
<li>Tested after-the-fact compatibility with Penlight's 'pl.strict' module for all supported Lua versions.</li>
<li>Fixes supplied by François Perrad included to address problems found in 'strict' library handling.</li>
<li>Users of the direct 'json' module will have a polluted global
environment with the 'json' module populated unconditionally.</li>
</ul>
</p>
<p>
If there are any other Lua environments that you would like added to
my test matrix, please let me know. I am always open to suggestions and improvements. I host the project on github at <a href="https://github.com/harningt/luajson">https://github.com/harningt/luajson</a>, so feel free to fork and submit merge-requests :)
</p>
<p>
A note on the 'json' module pollution: if there is a general consensus
among users of the library (wherever they may be), I'll happily remove this
pollution. I much prefer Lua 5.2's way of handling modules and don't mind the fact that creating a Lua module without the 'module' function has the side effect that Lua 5.1 doesn't even have the global pollution.
</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-17118762617541083712012-07-22T22:48:00.000-04:002012-07-22T22:48:29.668-04:00Long-Delayed Updates - Life, Projects, Work<p>I've been putting off updates here for quite some time, primarily due to lack of focus. I've been working on quite a few personal things lately:
</p>
<ul>
<li>Attending free college courses on <a href="https://www.coursera.org/crypto" target="_blank">cryptography</a> and <a href="https://class.coursera.org/algo" target="_blank">algorithms</a></li>
<li>Working out the design of the <a href="https://github.com/harningt/cryptoface" target="_blank">cryptoface</a> library</li>
<li>Getting my feet wet developing mobile/desktop games with <a href="http://getmoai.com/" target="_blank">Moai</a></li>
<li>Beta testing games</li>
</ul>
<p>
On the work/career side, I've been busy as well:</p>
<ul>
<li>Designing a new cryptographic data interface</li>
<li>Designing a new memory management interface</li>
<li>Implementing a new web-request client</li>
<li>Attending people/skill-management training</li>
<li>Answering recruitment messages</li>
</ul>
<p>
While working on designing a new cryptographic data interface at work, I've had a chance to get a better handle on how certain sets of operations should behave and how one might best structure a generic system. This should help out with figuring out how to best setup how <b>cryptoface</b> will work out.</p>
<p>
I also had to design a memory management interface... that was quite an eye-opener. The main objectives were to ensure that data in memory would not get flushed to disk and that any flushable memory would be protected. This issue of flushable memory was relatively easy, use unflushable memory to store a key to encrypt the flushable memory. The unflushable memory was difficult and yielded a problem: What about suspend-to-disk? It turns out that, for the relevant systems, on a suspend-to-disk operation, your 'unflushable' memory will end up on disk (unless you implement some crazy notification system that 'might' be implementable on a given platform). I plan on writing a larger article on how the memory management interface will make its way into <b>cryptoface</b>.
</p>
Earlier this year I attended free online courses on cryptography and algorithms. These were <b style="font-style: italic;">awesome</b>, they took much more time than I anticipated, but they stretched my mind quite a bit. I was thinking that, given I work on cryptography so much, it would just be a refresher course. Not at all! I was also better prepared for analyzing the recent "padding oracle" attacks that have come up lately. Taking the algorithms class was a great refresher and helped give me a better appreciation than I did when I first had it at MSU as a freshman.</p>
<p>
Recently I came upon the <a href="http://getmoai.com/" target="_blank">Moai</a> development framework. It strikes me as a great fit of technologies:</p>
<ul>
<li>Lua</li>
<li>Android</li>
<li>Chrome (via NaCl)</li>
<li>Desktop (Linux/Windows/OSX)</li>
<li>iOS</li>
</ul>
<p>
Unlike many of the other frameworks out there, it is open-source! I took advantage of this during my exploration of one the physics system in place (box2d) and used some free time to patch it up with some documentation and unify the scaling system to better honor the virtual unit system. I plan on using it <i>sometime</i> in my free time to develop and publish a game for Android for my kids to play. What cooler way to get kid-kudos than be the one with the dad who "wrote a video game!"
</p>
<p>
This open-source experience also gave me an <i>interesting</i> insight into an area that I had not yet ventured into: getting approval for "outside" work. My prior long-running projects were grandfathered in through the acquisition process, but I had not yet envisioned writing game software.</p>
<p>
I have also had the task of answering many recruiter messages on Linked-in. For the longest time I was receiving many opportunities that involve moving out to an area w/ at least double the cost of living... not my cup of tea... at least yet. (Quick stats from a site show that moving to California would cost me 55% more and I would only be making 25% more... not cool) I discovered about a month ago that there was a section to input text for recruiters/etc to see when considering to send a message. Lately I haven't heard from as many (yay!) but a few received still seem to not read this. I also typically get requests to forward this information to any I may think fit-the-bill. Sorry... even your offer of an iPad on recruitment pass-through isn't going to work well. My current network of people is pretty much where I'd like them to be: local! In addition, most of the talent I know well and would recommend well are those that I work with (a great team!) and dare not trade them off in return for getting someone new (though are two new contractors look to be doing quite well).</p>
<p>
On the receiving end of this when observing the contractor-search process, it looks like the hiring process for skilled individuals is extremely difficult. It seemed the process was to funnel people through that look like they "might" have qualifications. We ended up with people who lacked entry-level computer science skills... quite annoying when we have 3rd party hiring staff "pre-screening"... as the smaller TrustBearer Labs, I was more involved and had to directly deal with such individuals, but at least then it was more understandable since we didn't have a big arm to work on the screening task. Not to dismiss the recruiter's negligence in the hiring process, it seems that the pool of qualified skilled software engineers is getting quite diluted... Which will make it a bigger challenge for me if/when I ever enter the active employment search role: I'll have to fight to differentiate myself from the crowd of others out there. At least there are sites out there that are trying to help in this area:</p>
<ul>
<li><a href="http://nerdability.com/" target="_blank">Nerdability</a> - My profile is <a href="http://nerdability.com/user/harningt" target="_blank">http://nerdability.com/user/harningt</a></li>
<li><a href="https://github.com/" target="_blank">Github</a> - My public page is <a href="https://github.com/harningt" target="_blank">https://github.com/harningt</a></li>
</ul>
<p>
These work well since I do like to work on open-source software. Yet another benefit to the open-source industry, if you write good code, potential employers can see it before you work for them!</p>
<p>
Hopefully this blog post will put an end to the long blocker on writing more posts.</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-29041422485336473102012-01-07T15:23:00.000-05:002012-01-07T15:23:27.986-05:00Goodbye PGP Global Directory Key - Hello Mountain ViewAfter discovering that the PGP Global Directory has been spamming my public key biweekly w/ 2-week signatures (see <a href="http://pgp.surfnet.nl:11371/pks/lookup?op=vindex&fingerprint=on&search=0xB1DBAD54">here</a> for a snapshot of keys), I trashed my account there to put an end to that.<br />
At first I thought the email <a href="http://lists.gnupg.org/pipermail/gnupg-users/2004-December/024007.html">threads</a> about keyserver spam not being a big problem, I'm seeing how it could easily be a problem without it technically being spam. Hopefully a good solution comes about so that owners of keys could sign requests to remove keys from the signature list. I'd guess such a solution would restrict what sort of signatures be removed (ex: signature revocations couldn't be removed, etc).<br />
<br />
Putting out my key-signing policy appears to have worked pretty good for getting keys signed, so far have 3 cross-signatures out of it. Hopefully I can get some more signatures this year.<br />
If anyone in the Mountain View, CA area wants to work out a key-signing arrangement, I'm out there on business ~January 23-27. Could possibly work out my first signatures of the "Level 3 - 0x13 - Careful Check" type mentioned in my <a href="http://www.eharning.us/gpg/key-signing-policy/">Key Signing Policy</a> :) It is pretty trivial to get a Level 3 key signed, basically just need keys pre-exchanged and ID (driver's license, passport, other government ID).Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-67842603839751474912011-12-29T22:35:00.000-05:002011-12-29T22:40:48.673-05:00LuaJSON 1.3 Released<b>LuaJSON 1.3</b> is released to the wild!<br />
<span style="font-size: 13px;">Major changes made:</span><br />
<ul>
<li><span style="font-size: 13px;">new 'nothrow' global option - currently a trivial 'pcall' hook on decode, but could later resolve to a more efficient handler</span></li>
<li><span style="font-size: 13px;">enhanced error output from the 'next' branch</span></li>
<li><span style="font-size: 13px;">hopefully "stackless" parser - limit of parsing depth now as large as heap and not stack</span></li>
</ul>
<br />
<span style="font-size: 13px;">Rockspec for those using LuaRocks if it hasn't hit their repo yet: <a href="https://raw.github.com/harningt/luajson/b7cb1e6221ae6b70b208b242c1654da39087230d/rockspecs/luajson-1.3-1.rockspec">https://raw.github.com/harningt/luajson/b7cb1e6221ae6b70b208b242c1654da39087230d/rockspecs/luajson-1.3-1.rockspec</a></span><br />
<span style="font-size: 13px;">GitHub link for signed tag: <a href="https://github.com/harningt/luajson/tree/1.3">https://github.com/harningt/luajson/tree/1.3</a></span><br />
<span style="font-size: 13px;">Release download tarball: <a href="https://github.com/downloads/harningt/luajson/luajson-1.3.tar.gz">https://github.com/downloads/harningt/luajson/luajson-1.3.tar.gz</a></span><br />
<br />
<span style="font-size: 13px;">The "stackless" parser is basically a linearization of the LPeg parser so that it parses JSON tokens and passes them into a stack/state-machine implemented as a Lua state object. This degrades performance slightly in the pre 1.2.1 era, but removes C/LPeg stack depth problems encountered in all prior implementations (including the abominably slow 1.2.2 version that reduced the problem, but didn't solve it).</span><br />
<br />
<span style="font-size: 13px;">While profiling performance, I found that some unrolling versions seemed to be a wee bit faster, but used more memory and had more pagefaults. My focus on future releases of LuaJSON will be on speed, including a possibility of 2.0 release breaking compatibility in the interest of getting > 2 MB/s JSON parsing performance. Looking at the strict YAJL parser - it hits >100 MB/s on the same data where I get 2 MB/s at best. If I can pull in an MIT-like-licensed C-based JSON parser into Lua and get >= 10x performance, I may add an option for the parser to try to consume the other parser under the LuaJSON interface (for uniformity).</span><br />
<br />
<span style="font-size: 13px;">Later I plan on enhancing encoding performance, but for the time being, decoding is most important right now.</span>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-12136849412460346112011-06-21T22:31:00.000-04:002011-06-21T22:31:54.890-04:00CryptoFace Digest Design Oops<p>
Designing an interface for managing a library of cryptographic digests seems so easy, right?
</p>
<p>
Select a digest from a list, process data, get a hash... all there is to it, right?
</p>
<p><b>WRONG!</b></p>
<p>
While pulling in another digest provider, <a href="http://botan.randombit.net/">Botan</a>, I found some items that did not fit into the simple model. Namely the configurability of some of the uncommon and new digest algorithms:
<ul>
<li><a href="http://en.wikipedia.org/wiki/Skein_(hash_function)#cite_ref-1">Customizable output size</a> of the 3 Skein internal storage variants</li>
<li>Customizable "personalization" value of Skein</li>
<li>Custom number of rounds and output size for Tiger</li>
<li>...</li>
</ul>
This is even without the notions of composing digests in various fashions, such as in parallel or in a <a href="http://en.wikipedia.org/wiki/Feistel_cipher">Feistel scheme</a>.
</p>
<p>
In light of this, I anticipate changing my mechanism for obtaining and enumerating digest implementations. Changes will likely include moving the enumeration of digests to more of a secondary feature, making the move to a set of 'well-defined' digest identifiers to be mapped from strings, and making way for parameterized construction of digests to accommodate more complex notions, including hash-based MACs/etc.
</p>
<p>
The change will not be without complication, however in light of analyzing the problem and the Botan library, I think I may be able to make some elegant structures possible for dealing with complex algorithms... at least with the Lua engine. An example set of structures could be:
<pre>
-- Simple sized sha2 filter
x = Filter(SHA2(256))
-- HMAC
x = Filter(HMAC(SHA2(256),"KEY")
-- Complex chain of hashes
x = Filter(Parallel(SHA2(512), Skein(512,1024,"Personalization")))
-- Take the filter and stream file-to-file using ltn12
ltn12.pump.all(
ltn12.source.file("SOURCEFILE"),
ltn12.sink.chain(x, ltn12.sink.file("SOURCEFILE.hash")))
</pre>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-85028461954319735122011-06-07T00:47:00.000-04:002012-10-08T21:52:28.994-04:00Review of "SQL Pocket Guide" by Jonathan Gennick<a href="http://www.goodreads.com/book/show/10565212-sql-pocket-guide" style="float: left; padding-right: 20px"><img alt="SQL Pocket Guide" border="0" src="http://photo.goodreads.com/books/1298428370m/10565212.jpg" /></a><a href="http://www.goodreads.com/book/show/10565212-sql-pocket-guide">SQL Pocket Guide</a> by <a href="http://www.goodreads.com/author/show/239791.Jonathan_Gennick">Jonathan Gennick</a><br/>
My rating: <a href="http://www.goodreads.com/review/show/174363587">4 of 5 stars</a><br />
<p>
The complexity of developing database queries with SQL is a challenge often requiring frequent documentation searches. The "SQL Pocket Guide" by Jonathan Gennick is a great converged reference for many common database implementation.
</p>
<p>
The best feature of this guide is its breadth of detail offered. It provides a high-level view of database structures and provides useful details for taking strategies available in one implementation and possibly using it in another database engine. An example of this are the references from custom database function naming of Oracle's "analytic functions" and DB2's "OLAP functions" to the standard's name of "windowing functions". This allows you to take the naming you are familiar with, have been taught, or overheard and refer to it using that name and finding an appropriate redirection.
</p>
<p>
If you find that you are working with many different databases or want a quick reference to see if a given structure is available in a given database implementation, this guide is for you. Need a list of common data types for a category of data type: this guide has it. Need the details on dealing with times and dates: this guide has a good 20 pages on it. Even if it may not have all the tiny details you may need on a given topic, it can be a compass for finding your way through detailed documentation to what you want to find out.
</p>
<p>
The eBook format of this book was provided free through O'Reilly's Blogger Review program, you can purchase the book from the O'Reilly book store at: <a href="http://oreilly.com/catalog/0636920013471">http://oreilly.com/catalog/0636920013471</a>
</p>
<p>
You can support this blog by purchasing the book through Amazon at:
<a href="http://www.amazon.com/gp/product/1449394094/ref=as_li_ss_tl?ie=UTF8&tag=eharning-20&linkCode=as2&camp=217153&creative=399349&creativeASIN=1449394094">SQL Pocket Guide (Pocket Guides)</a><img src="http://www.assoc-amazon.com/e/ir?t=&l=as2&o=1&a=1449394094&camp=217153&creative=399349" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />
</p>
<a href="http://www.goodreads.com/review/list/4693320-thomas-harning?shelf=reviewed">View all my GoodReads reviews</a>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-1513775963394627372011-04-19T22:34:00.000-04:002011-04-19T22:34:24.708-04:00GnuPG Key Plan<p>After much reading and analyzing the issue of re-keying (again!). I've come up with a plan for my GnuPG key security to help put some predictability in my key management.</p>
<ul>
<li><b>~week - 2011/04/20-2011/04/22</b> Generate and put in place an RSA 3072-bit primary keypair.</li>
<li><b>~month - 2011/04/20-2011/04/30</b> Generate ECDSA NIST P-384 and ECDSA NIST P-521 primary keys</li>
<li><b>~19 years - 2030</b> Migrate to new ECDSA keys and revoke the RSA 3072-bit key marking it superceded.</li>
</ul>
<p>
I will put in active use my 3072-bit keypair for compatibility reasons and the fact that it should be adequate, per <a href="http://csrc.nist.gov/groups/ST/toolkit/key_management.html#Guideline">NIST SP800-57 Part 1</a>, for beyond 2030. To better future-proof in case of a strong attack against RSA that compromises 3072-bit keys, I will put into practice key-signing where possible my ECDSA P-384 and P-521 keypairs. I have chosen to use 2 additional keypairs in order to better prepare for possible stronger attacks in the future. ECDSA for OpenPGP is currently an IETF draft in its <a href="http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-07">8th draft</a> (last 7 drafts not touching ECDSA definitions) </p>
<h3>Management of Multiple Primary Keys</h3>
<p>
With regards to key management, I intend to avoid publishing the P-384 and P-521 keys for the fact that I do not know which I will be using in the future and do not want to clutter the keyservers with keys that I will not be using in the near future. I will test key signing with at least the released version of GnuPG (2.0 series) to see if it can sign ECC keys (even though it will not likely be able to do anything with them)... hopefully this will reveal that the key management process is somewhat blind to key contents. Assuming no better mechanism arrives by the year 2030, I will probably transition to either the P-384 or P-521 ECDSA key. I intend to follow the NIST publications to watch for adjustments to the guidelines on RSA key usage for signatures.
</p>
<h3>Key Signing Policy</h3>
<p>
I will also write a key signing policy to be attached to signatures issued by my keys. One feature that I hope to be able to write in is a reasonable mechanism to commute the signature to another of their keys with a lesser level of authentication than initial key signing. Given that obtaining key signature authentication is quite a challenge in Indiana, I want to make it practical to walk keys forward instead of an extra "ordeal" to get keys resigned. I intend to read published key signing policies to come up with one that provides good practices with practicality.
</p>
<h3>Key Publication</h3>
<p>
All of my keys will be published on my primary web site at <a href="http://www.eharning.us/gpg/">http://www.eharning.us/gpg/</a>. My active keys will be published to the key servers through hkp://keys.gnupg.org and also independently to the <a href="https://keyserver.pgp.com/vkd/GetWelcomeScreen.event">PGP Global Directory</a>. I intend to keep the naming the same beyond moves to other web page management systems for uniformity. I will also publish the key signing policy underneath that (eventually at <a href="http://www.eharning.us/gpg/key-signing-policy/">http://www.eharning.us/gpg/key-signing-policy/</a>). I will be signing the markdown content generating the key-signing-policy and hopefully publishing it linked directly in the web site for verification. What good is a policy if you can't verify who wrote it!
</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-19052288682240907462011-04-15T23:52:00.000-04:002011-04-15T23:52:58.805-04:00Key backup for the paranoid<p>When doing this GPG key work, I realized that if by some chance drives failed and USB keys no longer worked right, I'd be unable to access tons of data backed up encrypted with them. I wouldn't want to backup the GPG keys in the same way as my other data due to the sensitivity.</p>
<p>
Some conventional methods of backup that can be used as a "standard" item to handle recovery:
<ul>
<li>CD/DVD backup</li>
<li>USB Flash Drive</li>
<li>Hard Drive</li>
</ul>
Hard drive backup is somewhat out of the question as using an entire hard drive for backup and putting in a safe is out of my budget. USB flash drives paired with optical backup work great as a "fast" recovery mechanism in case something goes wrong. The problem with these is that testing them as backups is somewhat tedious.</p>
<p>
Here's where <b>paper</b> comes in. You print out your key data in some form that can be input back into the computer in a reasonable manner. Now this may seem backwards, but it is quite useful for backup. You can easily print say, 10 copies of the key, slip them in something to reduce air exposure, and put them in safe deposit boxes / home safe / etc. For recovery check, you can visually inspect them to make sure that they are not degrading. To test thoroughly, you can take a small sample (ex: 1 from each backup location) and attempt a recovery. Redundancy with paper backup is quite trivial.
</p>
<p>
Now... how do you put the key on paper. You could print it in hex or base64-encode it and OCR or manually type it in... but that is tedious and error-prone. For high-density machine-readable data storage on paper you can use 2D barcodes. These typically have error-codes builtin to help manage slight flaws in the paper or scan. A good article at Coding Horror, <a href="http://www.codinghorror.com/blog/2009/07/the-paper-data-storage-option.html">The Paper Data Storage Option</a> illustrates some mechanisms for paper backup. I tried stuffing backup data into QR codes and datamatrix blocks, but found that the encoding/decoding software available were quite finicky. Another problem with these formats was that they are not intended to store bulk data. There must be some other good way of encoding data for printing and recovering...</p>
<p>
In steps in the mentioned Windows application <a href="http://ollydbg.de/Paperbak/">PaperBack</a> by Oleh Yuschuk. This tool takes an input file and prints out dotted pages arranged in blocks to store your data. It provides redundancy through duplicating blocks and arranging throughout the pages as well as error-checking codes within each individual block.</p>
<p>I also tried the <a href="http://ronja.twibright.com/optar/">Twibright Optar</a> paper backup mechanism, but ran into the problem that it expected a high quality printing medium and I found it hard to tweak it to work with my readily available inkjet. Of course for final usage, laser printing would likely yield high enough quality to meet my needs.</p>
The two backup mechanisms have their pros and cons.<br />
<p>
<b>PaperBack</b><br />
Pros:
<ul>
<li>Easy to use - builtin printing and scanning capabilities</li>
<li>Visual display of the quality of the scan, permitting visual detection of where your backup may be degrading</li>
<li>Easy customization of DPI, dot-size, redundancy</li>
<li>Good reliability even in the face of injected errors through gimp</li>
</ul>
Cons:
<ul>
<li>Windows only - right now</li>
<li>Imports/Exports only as bitmap if not using direct print/scan</li>
</ul>
</p>
<p>
<b>Twibright Optar</b><br />
Pros:
<ul>
<li>Linux-compatible</li>
<li>Provided documentation describes the theory of how the encoding works well</li>
<li>Better data density</li>
<li>PNG input support</li>
</ul>
Cons:
<ul>
<li>Needs hand-edited code to change dot-size</li>
<li>Seems to be very sensitive to artificially introduced errors through whole-image noise/damage/rotation</li>
</ul>
</p>
<p>
I selected PaperBack as my primary backup mechanism since it met my needs and provided an easy way to tell how "bad" my backup was. I took my GPG secret key blob, sent it to PaperBack for handling and was able to pack on less than a single sheet of paper with the lowest DPI (80) and a redundancy of 10 block copies, and AES encryption of the entire data blob (beyond what GPG protects the key data with). Recovering was fast, however showed errors right from the start. These errors were quite recoverable and well within the range were errors could be recovered from. Seeing how useful paper/image-based data transfer is, I intend on using a QR or datamatrix code that has my public key information (ID/thumbprint) to help make key signing & simple detection of what key should be used for verification/encrypted-email.
</p>
<p>
With a paper copy in protected locations, I can be even more certain that the lifetime of my GPG keys will be beyond the lifetime of the machine in which they came from. The sort of thing becomes quite important when protecting information that may by chance or specifically on purpose outlive you.
</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-56183006828466311962011-04-15T22:01:00.000-04:002011-04-15T22:01:34.562-04:008192-bit GPG Certification Key - Why and How<p>I generated my primary key, the <i>certification key</i> with an 8192-bit RSA key to help ensure that it lasts for quite some time. I figure that this should prove adequate until ECC is integrated into the OpenPGP specification and a majority of applications start supporting it. I keep this key very well protected and excluded from the set of private keys I use regularly.
</p>
<p>
Now for the how. GPG does not permit generation of 8192-bit keys normally. I found something somewhere hinting at using the batch mode of GPG key generation, but do not recall where.
An example command-set that will get you a 8192-bit RSA signing key:
<pre>
gpg --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 8192
Name-Real: ME
Name-Comment: COMMENT
Name-Email: EMAIL
Passphrase: PASSWORD
EOF
</pre>
</p>
<p>
To segregate my certification key from the other used keys, I exported the secret portion of the subkeys using --export-secret-subkeys, wiping out the overall key, then re-importing the 'subkey' file. One downside to this sort of mechanism is that it isn't quite OpenPGP compliant and other tools such as APG cannot use the subkeys file (they complain about the missing primary key).
</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-35354110019671377472011-04-12T22:32:00.000-04:002011-04-12T22:32:51.204-04:00Venture Back to GnuPG and my GPG Key<pre>
GPG KEY:
sec# 8192R/B7CE5252 2011-04-11
Key fingerprint = 5359 D88D 11DB 6981 C92E A723 023C 6BB2 B7CE 5252
uid Thomas Harning Jr <harningt@gmail.com>
ssb 2048R/7B0654AB 2011-04-11 (email signing)
ssb 2048R/72F567FF 2011-04-11 (email/file decryption)
ssb 4096R/97E7681D 2011-04-11 (codesigning/etc)
</pre>
<p>I've ventured back in the the realm of GPG with its web-of-trust and easy file signing/encryption. I was prompted to do this when I realized I had no good long-term cryptography solution for dealing with documents that I want to be protected and be available in the future, even if my safe drives fail.</p>
<br />
In my scheme I planned to have the following sort of key structure:<br />
<ul>
<li>Root Protected Key - large key and stored off-disk</li>
<ul>
<li>Machine Keys - each machine gets its own keys to manage for encryption/decryption</li>
</ul>
</ul>
<p>
The problem I realized with this is that in order to do email encryption/signing, I may have to go to a specific machine to recover the data. There is also the problem that multiple keys complicate managing trust.</p>
<p>
When working through GPG's features, I realized I could have a similar structure without multiple independent GPG keys... GPG has the concept of subkeys that lets me do what I want with a centrally managed identity. A short little dance lets me setup a root protected key that is not on the system disk, but instead on an encrypted-removable drive. You could also do this with a hardware token, but currently keysize is limited and a hardware token has more value if you operate in a less-trusted environment or may potentially lose it.</p>
<p>
My single key is setup as follows:
<ul>
<li>Master key non-expiring 8192-bit RSA key with Certifier and Signing capabilities<br />
Stored on a hardware encrypted drive (with copies of "day-to-day" keys) and only when in a "safe" environment (ex: Linux LiveCD)</li>
<li>2048-bit Email/File signing key expiring in a few years</li>
<li>2048-bit Email/File decryption key expiring in a few years</li>
<li>4096-bit Signing key - for uses such as software signing, expiring after email keys</li>
</ul>
<p>Request: Sign my GPG key, any measures you feel good for proving my identity, let me know. Depending on who you are, I'll try to figure out what sort of proof I'd need to cross-sign your key.</p>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-61269041719440113882011-04-12T00:49:00.000-04:002011-04-12T00:50:16.382-04:00This Year's Fiction Book PlanFor one of my New Year's resolutions, I stated that I would write and publish a book this year. I believe that I may have finally come up with my subject matter. Watching Netflix movies / television episodes and listening to podcasts, I found a good working "environment" that I can write a story in.<br />
The following bullet-points illustrate some items to work in:<br />
<ul>
<li>Science-Fiction Adventure w/ Mystery elements</li>
<li>Team of agents (5-6?)</li>
<li>Fantasy mix-in with extra-terrestrial technology/creatures</li>
<li>Possible dimension/time-travel/vision/manipulation</li>
</ul>
<div>
I have ideas for how to get this put together, such as starting it off in the middle of the action with a new (or soon-to-be) agent. He/she would then act as an audience surrogate working to unveil the status quo and start the "real" bits of action.</div>
<div>
Depending on how the plot rolls out, I intend to at least lay out a world in which additional stories can be told, or better yet, have the potential to be a set of serial stories.</div>
<div>
<br /></div>
<div>
Any ideas on what can be mixed in, character ideas, or mythologies to incorporate (ex: Cthulu, Egyptian, Doctor Who, etc), are <b><i>VERY</i></b> welcome.</div>
<div>
<br /></div>
<div>
If anyone has any editing experience or knows of any "budget/free" science-fiction editors, let me know, since if I think this is quality, I'd like to polish it without relying on my skewed personal opinion.</div>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com1tag:blogger.com,1999:blog-5837266614693979643.post-51432598487856407322011-02-10T22:22:00.000-05:002011-02-10T22:22:52.929-05:00"Small" O'Reilly Book/Video Wish ListHere's a short wish list of O'Reilly books and videos that I found that would be great... both for professional work, as well as personal enjoyment for developing my own software :)<br />
<br />
<br />
<ul>
<li><a href="http://oreilly.com/catalog/9780596002701/">Network Security with OpenSSL</a> - Print+eBook - great to decipher the cryptic OpenSSL cryptographic library</li>
<li><a href="http://oreilly.com/catalog/9781934356586/">The Agile Samurai</a> - would be great to manage some of the massive projects at work!</li>
<li><a href="http://oreilly.com/catalog/0636920017462/">McCullough and Berglund on Mastering Git</a> - Video - I know Git very well... can't hurt to enhance the knowledge further with other angles/examples</li>
<li><a href="http://oreilly.com/catalog/9780596520137/">Version Control with Git</a> - Print+eBook - Always good to have more references :)</li>
<li><a href="http://oreilly.com/catalog/9780596521196/">Using SQLite</a> - Print+eBook - The database that is everywhere... Android, iPhone, Chrome, Firefox, ...</li>
<li><a href="http://oreilly.com/catalog/9781449302689/">Programming Android</a> - Early Release - eBook - Type of phone that Jenn and I have, already developed an app for it, just want more reference material</li>
<li><a href="http://oreilly.com/catalog/9781593271749/">The Art of Debugging with GDB and DDD</a> - Print+eBook - Useful for debugging on most platforms</li>
<li><a href="http://oreilly.com/catalog/0636920016205/">Great Bash</a> - Video</li>
<li><a href="http://oreilly.com/catalog/9781934356456/">Language Implementation Patterns</a> - Know how to use LPeg well, may as well learn how to make 'good' languages</li>
<li><a href="http://oreilly.com/catalog/9780596516130/">Learning OpenCV</a> - Print+eBook - Interesting topic to look into... taking images/videos and doing programmatic stuff with them</li>
<li><a href="http://oreilly.com/catalog/9781565924536/">Mastering Algorithms with C</a> - Print+eBook - Can never have too many references on algorithms that aren't patented!</li>
</ul>
<br />Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-65363988694409506892011-02-06T15:59:00.000-05:002011-02-06T15:59:41.523-05:00Review of "The Art of Concurrency" by Clay Breshears<a href="http://www.goodreads.com/book/show/6611079-the-art-of-concurrency" style="float: left; padding-right: 20px"><img alt="The Art of Concurrency: A Thread Monkey's Guide to Writing Parallel Applications" border="0" src="http://photo.goodreads.com/books/1266785375m/6611079.jpg" /></a><a href="http://www.goodreads.com/book/show/6611079-the-art-of-concurrency">The Art of Concurrency: A Thread Monkey's Guide to Writing Parallel Applications</a> by <a href="http://www.goodreads.com/author/show/2984461.Clay_Breshears">Clay Breshears</a><br/>
My rating: <a href="http://www.goodreads.com/review/show/144573715">4 of 5 stars</a><br />
<p>
With CPUs growing in power by adding additional core as opposed to just getting “faster”, learning how to take advantage of parallel programming is a must. The book “The Art of Concurrency: A Thread Monkey's Guide to Writing Parallel Applications” by Clay Breshears works great as a reference and guide for determining when parallelization may be possible, how it could be done, and what to look out for.
</p>
<p>The book introduces the reader to parallel programming with a set of useful rules and guidelines to follow to plan for optimizing algorithms by distributing workloads through concurrent programming. Much of the remainder of the book enumerates some common tasks and how to make them concurrent. One of the best parts of the common task listing is the scorecard for evaluating the quality of the implementation. The scorecard includes the useful performance factors of “efficiency” and “scalability”. It also includes the important details of “simplicity” and “portability”, important when evaluating methods for maintainable code.
</p>
<p>The common threading tools OpenMP, Intel Thread Building Blocks, and POSIX threads are described in the early chapters and sprinkled throughout the examples in a useful manner, providing exposure to different ways one might implement concurency; not everyone needs to re-invent the wheel when optimizing tasks.
</p>
<p>
The eBook format of this book was provided free through O'Reilly's Blogger Review program, you can purchase the book from the O'Reilly book store at: <a href="http://oreilly.com/catalog/9780596521547">http://oreilly.com/catalog/9780596521547</a>
</p>
<p>
You can support this blog by purchasing the book through Amazon at:
<a style="float:right" href="http://www.amazon.com/gp/product/0596521537?ie=UTF8&tag=eharning-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0596521537">
<img border="0" height="110" width="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDc1E_7WQ80oEpp1pd1hNqbZ6zJ72158vR6L-RqoKu3Th5zWHoskbRbFRrkJW0bl8X5RoQR9ohrfqLZhrnqae-nwjbEZTAhQuCdctRTv769_TmtWGveLCymHDbrlhyphenhyphenoBDQ5rLB5EM-xag/s320/51OYmIrNu3L._SL110_.jpg" /></a><img src="http://www.assoc-amazon.com/e/ir?t=eharning-20&l=as2&o=1&a=0596521537" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />
</p>
<a href="http://www.goodreads.com/review/list/4693320-thomas-harning">View all my GoodReads reviews</a>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-91114365895368149672011-01-22T21:20:00.000-05:002011-01-22T21:20:22.076-05:00Review of "The Nexus" book<iframe src="http://rcm.amazon.com/e/cm?lt1=_blank&bc1=000000&IS2=1&bg1=FFFFFF&fc1=000000&lc1=0000FF&t=eharning-20&o=1&p=8&l=as1&m=amazon&f=ifr&md=10FE9736YVPPT7A0FBG2&asins=1456407007" style="width:120px;height:240px;float:left;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="http://www.goodreads.com/book/show/9938268-the-nexus">The Nexus</a> by <a href="http://www.goodreads.com/author/show/4509480.Richard_Fazio">Richard Fazio</a><br/>
My rating: <a href="http://www.goodreads.com/review/show/136192619">3 of 5 stars</a><br /><br />
The Nexus was my first GoodReads "FirstRead" free book. It's a science-fiction novel set in contemporary New York, speckled with bits of metaphysics, conspiracy, and danger.
<br/>
<br/>The main character, Balthazar Sykes, embarks on a personal quest to discover what is going on with his mind, leading him to discover how he became the way he his while building stronger relationships. The quest is experienced through the eyes of many characters. The antagonists' point-of-view is revealed in a few segments, quite effectively giving the shadowy insights that tease the reader until resolved later.
<br/>
<br/>A few of the characters such as Sykes's love interest, Alex, and co-worker Madge, develop to be well-rounded. Others do not get quite the same development time out of necessity: helpful side-characters for lack of importance; antagonists to avoid ruining the suspense.
<br/>
<br/>The story's epilogue works quite well in closing the few open ends left. It is just the right length of story, both in terms of book size and timelines. You get just enough in terms of introducing characters as events begin to unfold, and not too much after the resolution, just bits of closure regarding relationships.
<br/><br/>
<a href="http://www.goodreads.com/review/list/4693320-thomas-harning">View all my GoodReads reviews</a>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-41458361834442865912011-01-20T18:00:00.001-05:002011-01-20T18:00:00.946-05:00LuaJSON RoadmapMy <a href="https://github.com/harningt/luajson">LuaJSON project</a> (hosted at GitHub) has slowed down in development over time as new features are hard to implement when the problem is so well defined. I do have a few plans for LuaJSON, however.<br />
<br />
First priorities:<br />
<br />
<ul><li>Figure out how to do nil round-tripping safely</li>
<li>Create validation tests for the enhanced error output in the latest-and-greatest code</li>
<li>Make sure it works with Lua 5.2</li>
</ul><div>Future items:</div><div><ul><li>Prepare LuaJSON for inclusion in the Gentoo package database</li>
<li>Construct small C Lua extension to offer faster encoding options</li>
<li>Construct small C Lua extension to offer faster decoding options </li>
</ul><div>If there are any ideas for enhancements or new-found-bugs, please don't hesitate to post them on my <a href="https://github.com/harningt/luajson/issues">LuaJSON issue-tracker</a> or here.</div></div>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0tag:blogger.com,1999:blog-5837266614693979643.post-54658509152880046672011-01-19T22:52:00.000-05:002011-01-19T22:52:03.687-05:00Lumina and the Future of luaeventMy long-term goal of producing the luaevent replacement, Lumina (part of the "ehrCom" parent project), has been put off for quite some time. Given my recent time constraints for projects, I estimate that my time available to work on this re-engineering project will make it take quite a while. Given the vastness of the project and the intention to document the design before implementation make it far from usable in the near-term.<br />
<br />
In the mean-time, luaevent is currently a great way to get fast event-based socket programming in Lua right now. Matthew Wild of the <a href="http://prosody.im/">Prosody</a> team had constructed a fork of luaevent a while back with patches he applied to luaevent when I didn't have the time to review and apply them to the main tree. I recently reviewed and applied the changes to produce new <a href="https://github.com/harningt/luaevent/tree/v0.3.0">0.3.0</a> and <a href="https://github.com/harningt/luaevent/tree/v0.3.1">0.3.1</a> releases. The 0.3.0 was missing some of the latest updates, so a 0.3.1 bugfix release was made.<br />
<br />
I intend to keep luaevent up-to-date with any provided patches and review them in a reasonable period. That way the need for the forked version can go away and the original tree can be used.<br />
<br />
The next major enhancements that I foresee luaevent having are:<br />
<br />
<ul><li>Enhanced build tool integration</li>
<ul><li>Autotools for Linux</li>
<li>CMake for Linux and Windows</li>
</ul><li>Review of implementation to see if it can be better managed using new techniques learned from other Lua projects</li>
<li>Mirrored API using libev</li>
</ul>Tomhttp://www.blogger.com/profile/04366592885413632522noreply@blogger.com0